From dba9977525d070b52f49d05c718855e60e09c1d8 Mon Sep 17 00:00:00 2001 From: Peter Parente Date: Thu, 10 Sep 2015 22:01:14 -0400 Subject: [PATCH] Create jovyan in Dockerfile, reset UID at startup * Create user jovyan with UID=1000 in the default users group in the Dockerfile * Set group ownership of user home and conda to root to avoid 'users' group from host access when mounted * Set stick bit on both paths so root owns subdirs too * Change jovyan UID if NB_UID is specified and is not the default 1000 Contribution (c) Copyright IBM Corp. 2015 --- minimal-notebook/Dockerfile | 21 ++++++++++++++++++--- minimal-notebook/start-notebook.sh | 28 ++++------------------------ 2 files changed, 22 insertions(+), 27 deletions(-) diff --git a/minimal-notebook/Dockerfile b/minimal-notebook/Dockerfile index f89acddd..4ee702cd 100644 --- a/minimal-notebook/Dockerfile +++ b/minimal-notebook/Dockerfile @@ -29,11 +29,15 @@ RUN apt-get update && apt-get install -yq --no-install-recommends \ # Configure environment ENV CONDA_DIR /opt/conda ENV PATH $CONDA_DIR/bin:$PATH +ENV NB_USER jovyan +ENV NB_UID 1000 # Install conda -RUN echo export PATH=$CONDA_DIR/bin:'$PATH' > /etc/profile.d/conda.sh && \ +RUN mkdir -p $CONDA_DIR && \ + chmod g+s $CONDA_DIR && \ + echo export PATH=$CONDA_DIR/bin:'$PATH' > /etc/profile.d/conda.sh && \ wget --quiet https://repo.continuum.io/miniconda/Miniconda3-3.9.1-Linux-x86_64.sh && \ - /bin/bash /Miniconda3-3.9.1-Linux-x86_64.sh -b -p $CONDA_DIR && \ + /bin/bash /Miniconda3-3.9.1-Linux-x86_64.sh -f -b -p $CONDA_DIR && \ rm Miniconda3-3.9.1-Linux-x86_64.sh && \ $CONDA_DIR/bin/conda install --yes conda==3.14.1 @@ -43,6 +47,16 @@ RUN conda install --yes \ terminado \ && conda clean -yt +# Create jovyan user with UID=1000 and in the 'users' group +# Grant ownership over the conda dir and home dir, but stick the group as root. +RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \ + chmod g+s /home/$NB_USER && \ + mkdir /home/$NB_USER/work && \ + mkdir /home/$NB_USER/.jupyter && \ + mkdir /home/$NB_USER/.local && \ + chown -R $NB_USER:root $CONDA_DIR && \ + chown -R $NB_USER:root /home/$NB_USER + # Configure container startup EXPOSE 8888 CMD [ "start-notebook.sh" ] @@ -50,4 +64,5 @@ CMD [ "start-notebook.sh" ] # Add local files as late as possible to avoid cache busting COPY start-notebook.sh /usr/local/bin/ COPY notebook.conf /etc/supervisor/conf.d/ -COPY jupyter_notebook_config.py /etc/skel/.jupyter/ +COPY jupyter_notebook_config.py /home/$NB_USER/.jupyter/ +RUN chown -R $NB_USER:root /home/$NB_USER/.jupyter \ No newline at end of file diff --git a/minimal-notebook/start-notebook.sh b/minimal-notebook/start-notebook.sh index c4fb0c37..70cddf1f 100755 --- a/minimal-notebook/start-notebook.sh +++ b/minimal-notebook/start-notebook.sh @@ -1,29 +1,9 @@ #!/bin/bash -# Constants -NB_USER=jovyan -NB_HOME=/home/$NB_USER -NB_WORK=$NB_HOME/work - -# Create non-root NB_USER if one doesn't exist -id -u $NB_USER && user_exists=true -if [ -z "$user_exists" ] ; then - useradd -m -s /bin/bash -u ${NB_UID:-1000} $NB_USER - - # Setup a work directory rooted in the NB_USER home - mkdir -p $NB_WORK - chown -R $NB_USER.$NB_USER $NB_HOME - - # Allow NB_USER group to update conda root env - chown -R root.$NB_USER $CONDA_DIR - chmod g+w $CONDA_DIR -fi - -# Copy skeleton files if useradd didn't do it (e.g., volume mounted dir -# residing in NB_HOME prevented it) -if [ ! -d $NB_HOME/.jupyter ]; then - cp -r /etc/skel/. $NB_HOME - chown -R $NB_USER.$NB_USER $NB_HOME +# Change UID of jovyan to NB_UID if it does not match +if [ "$NB_UID" != $(id -u jovyan) ] ; then + usermod -u $NB_UID $NB_USER + chown -R $NB_UID:$NB_UID $CONDA_DIR fi # Enable sudo if requested